Microsoft Entra Privileged Identity Management (PIM): Just-In-Time Admin Access, Approval Workflows, and Access Reviews

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The security case for PIM is straightforward: a Global Administrator account with a standing active role assignment is a target worth compromising in any Microsoft 365 or Azure environment. An attacker who successfully phishes that account — or steals its session cookie via an adversary-in-the-middle attack — has immediate, persistent access to all admin capabilities without additional authentication steps. PIM changes this: a compromised account with only an eligible assignment cannot do anything with that eligibility without completing MFA on the compromised device (which may trigger Entra ID Protection's risk signals) or getting approval from a second administrator.
The operational cost of PIM is real but smaller than the security benefit. Administrators who previously clicked the Azure portal and immediately had admin access now click Activate, complete MFA, type a justification, and wait 30-60 seconds. In practice, administrators report this as a minor friction that quickly becomes habitual, and the activation audit log provides a compliance artifact that proves which administrator made which privileged changes during which time window — something that standing-role environments cannot provide.
Deployment: converting standing assignments to just-in-time eligible access
PIM deployment is a one-time conversion process that requires careful sequencing to avoid accidentally removing admin access from the people responsible for managing the PIM configuration. The critical sequencing rule is: verify that at least two administrators have working PIM eligible assignments and a tested activation workflow before removing any standing assignment, and never remove your own standing assignment until you have successfully activated the same role through PIM.
Deploy PIM in a pilot group of 3-5 administrators before converting the entire admin team
Start PIM deployment with a pilot group that includes the Security Administrator and 2-3 IT administrators who are available to troubleshoot activation issues during the pilot period. Convert only this pilot group from standing to eligible assignments, configure the activation settings (MFA required, justification required, 8-hour maximum duration, no approval for non-Global-Admin roles), and run the pilot group on PIM for two weeks. During the pilot, document any activation friction points (MFA method compatibility, notification email delivery issues, approval workflow delays) and address them before expanding to the full administrator population. Measure the pilot administrators' activation frequency during the two weeks to understand how many activations per day to expect at scale and whether the maximum activation duration is appropriate for actual work patterns. Expand to the full admin population after the pilot produces a stable, low-friction activation workflow.
Create PIM activation documentation for all administrators before converting standing assignments
Prepare administrator documentation covering the PIM activation process before converting any standing assignment, so that administrators are not caught without admin access and without knowledge of how to restore it. The documentation should include: how to access the PIM portal (entra.microsoft.com > PIM > My roles), how to activate a role (step-by-step with screenshots), what MFA methods are supported for PIM activation (authenticator app, FIDO2 key), how long activation takes with and without approval, and what to do if the activation request is denied or the MFA fails. Conduct a 30-minute training session for all administrators scheduled two days before the standing assignment conversion, and maintain a helpdesk contact available on the conversion day to assist administrators who have activation issues. The most common first-day activation issues are administrators who have an expired or unconfigured MFA method on their accounts — identify and remediate these before the conversion by checking MFA registration status for all admin accounts.
Access reviews and ongoing governance: closing the privileged access lifecycle
PIM's just-in-time activation addresses the standing privilege problem but does not automatically remove eligible assignments from users who no longer need them — former employees in a role before offboarding, project-specific access that was never revoked after the project ended, or users who accumulated role eligibility over time without any periodic revalidation. Access reviews are the governance mechanism that closes this lifecycle gap.
Configure automatic assignment removal for access reviews with non-responses to enforce least privilege without requiring manual cleanup
Set up PIM access reviews with automatic removal for non-responses: when a reviewer fails to confirm a user's eligible assignment before the review period closes, the assignment is automatically removed. This forces active reconfirmation of all privileged assignments every quarter rather than requiring a security team member to manually identify and remove stale assignments. Before enabling auto-removal, communicate to reviewers (typically managers and role owners) that non-response means access revocation — some organizations run the first review cycle with manual review of auto-remove decisions before enabling automatic enforcement. Configure the access review to send reminder emails at day 7 and day 12 of a 14-day review window, giving reviewers multiple prompts before the auto-remove deadline. After the first review cycle completes, audit the auto-removed assignments to verify no legitimate active users had their access inadvertently removed due to a reviewer oversight, and document the appeals process for affected users.
Forward PIM audit logs to Microsoft Sentinel for privileged action correlation and anomaly detection
Forward PIM audit logs to Microsoft Sentinel by connecting the Entra ID data connector, which automatically ingests AuditLogs and SigninLogs tables. PIM activation events appear in AuditLogs with ActivityDisplayName values of Add eligible member to role (assignment creation), Member has activated role in PIM (activation start), and Member has deactivated role in PIM (activation end). Build a Sentinel analytics rule that alerts on Global Administrator activations occurring outside of business hours (8am-6pm on business days for your timezone): AuditLogs | where ActivityDisplayName == 'Member has activated role in PIM' | where TargetResources[0].displayName == 'Global Administrator' | where hourofday(TimeGenerated) !between (8 .. 18) or dayofweek(TimeGenerated) in (0d, 6d). An after-hours Global Admin activation is either an emergency access event (which should correlate with an open incident ticket) or a potential account compromise using the eligible assignment.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
The bottom line
Entra PIM is the most effective control for reducing privileged access risk in Microsoft cloud environments by converting the always-active standing role assignments that make admin accounts high-value compromise targets into time-limited, MFA-verified, audited just-in-time activations. Deploy by creating break-glass accounts with standing active assignments first, then converting all other privileged roles to eligible assignments using a pilot group to validate the activation workflow before full rollout. Configure approval workflows for Global Administrator activations and require justification text for all role activations to create audit evidence linking each privileged action to a stated business purpose. Set up quarterly access reviews with automatic removal for non-responses to maintain least-privilege role assignments without manual cleanup. Forward PIM audit logs to Microsoft Sentinel for after-hours activation alerting and privileged action correlation with other security events.
Frequently asked questions
How do I convert standing Global Administrator assignments to PIM eligible assignments?
Convert standing Global Administrator assignments to PIM eligible assignments by opening Microsoft Entra PIM, navigating to Manage > Microsoft Entra roles > Roles, selecting Global Administrator, and then selecting each current standing assignment (shown as Active in the Assignment type column). Click Remove to remove the standing assignment, then click Add assignments to add the same user as an Eligible assignment. After converting all standing Global Admin assignments to eligible, verify that the current signed-in user still has a standing assignment or that their PIM activation is currently active before converting their own assignment — otherwise they will lose current admin access and be unable to activate PIM themselves. Convert assignments in batches: start with lower-privileged roles (User Administrator, Exchange Administrator) to gain operational experience with PIM activation before converting the highest-privilege Global Administrator role. After converting all standing assignments, send a communication to all affected administrators explaining the new activation process: navigate to Entra ID > PIM > My roles, select the role, click Activate, complete MFA, enter justification, and submit.
How do I configure PIM activation settings for Global Administrator with approval workflow?
Configure PIM activation settings for Global Administrator by navigating to PIM > Microsoft Entra roles > Settings > Global Administrator and editing the Activation tab. Enable Require multifactor authentication on activation to require MFA each time the role is activated, even if the user has an active MFA session. Set Maximum activation duration to 4 hours for Global Administrator (the most privileged role should have the shortest activation window) and 8 hours for less privileged admin roles. Enable Require justification on activation to mandate a text reason for each activation, creating an audit record. Enable Require approval to activate and select 2-3 designated approvers who receive an email and can approve or deny the activation request from the PIM portal or from the email directly. Approvers should be Security Administrators or other senior administrators who are available during business hours — configure a backup approver group to prevent activation requests from being blocked when the primary approver is unavailable. After saving the settings, test the full activation workflow by having an eligible user attempt to activate the role, verifying the approver receives the notification, and confirming the role activation completes correctly.
How do I set up PIM access reviews for privileged role assignments?
Set up PIM access reviews to periodically revalidate that all eligible and active privileged role assignments are still justified and actively needed. Navigate to PIM > Microsoft Entra roles > Access reviews > New access review. Configure the review scope to include all Microsoft Entra roles or specific high-privilege roles (Global Administrator, Exchange Administrator, Security Administrator). Set the review frequency to Quarterly and the duration to 14 days — reviewers receive email notification at the start and reminders as the deadline approaches. Select Specific users or groups as reviewers and add the managers of each privileged user, or select Role approvers to assign review responsibility to the same people who approve PIM activations. Configure the action for non-responses (when a reviewer takes no action before the deadline): Auto-apply and Remove access ensures that users whose managers do not reconfirm access are automatically removed from the eligible assignment at the review cycle end. Send a review reminder at day 7 of the 14-day window. After the review completes, export the review decisions as audit evidence showing which assignments were reconfirmed and which were removed during the cycle.
How do I use PIM for Azure resource roles to manage subscription-level access?
Configure PIM for Azure resource roles by onboarding Azure subscriptions to PIM and converting Owner and Contributor standing assignments to just-in-time eligible assignments. Navigate to PIM > Azure resources > Select subscriptions > Discover resources, and select the Azure subscriptions to onboard to PIM management. After onboarding, navigate to Manage > Roles for the subscription and view all current role assignments — convert Owner and Contributor assignments from active to eligible using the same process as Entra role conversion. For Azure DevOps service principals and managed identities that use Owner or Contributor roles for deployment, PIM for Azure resources is not applicable (service principals use application credentials rather than user-interactive activation) — audit these separately and convert them to more specific roles (Contributor scoped to specific resource groups rather than subscription-level Owner). Configure PIM activation settings for each Azure role tier: Owner (highest risk) should require approval and have a 4-hour maximum duration, Contributor should require MFA and have an 8-hour maximum duration without approval for standard deployment activities. Monitor Azure PIM activations in the PIM audit log alongside Entra role activations for a complete privileged access audit trail.
How do I monitor PIM alerts for anomalous privileged access patterns?
Monitor PIM's built-in alerts for anomalous privileged access patterns by reviewing the PIM Alerts blade regularly and routing alert notifications to the security team. Navigate to PIM > Microsoft Entra roles > Alerts which shows active security alert findings including: Roles are being activated too frequently (a user is activating a role multiple times per day, which may indicate the maximum duration is too short or the user is using the role beyond its intended purpose), There are too many global administrators (more than 5 users with Global Admin eligible or active assignments, which is Microsoft's recommended maximum), Roles are being assigned outside of PIM (a role was assigned directly in Entra ID without going through PIM, bypassing the just-in-time enforcement), and Potential stale accounts in a privileged role (users with eligible assignments who have not activated the role in more than 180 days, suggesting the assignment is no longer needed). Configure the PIM email notifications to send to the security team email alias so new alert conditions are visible without requiring daily manual review of the PIM portal. Forward PIM audit log data to Microsoft Sentinel for advanced analytics rules detecting patterns like unusual activation times (Global Admin activated at 3am), unusually high activation frequency, or activations from unusual sign-in locations.
How do I configure PIM notifications for role activations and approvals?
Configure PIM notifications by editing the role settings for each privileged role and configuring the Notifications section at the bottom of each role's settings page. For each critical role (Global Administrator, Exchange Administrator, Security Administrator), configure: send email to role approver when eligible user requests activation (so approvers receive immediate notification of activation requests), send email to admin when a user is added to the role (so the security team is notified of new assignments), and send email to eligible user when activation is approved or denied (so the requesting user has immediate feedback). For roles without approval workflows, configure send email to admins when an eligible member activates the role to send a notification to the security team email alias — this creates a real-time notification of every privileged role activation that can be reviewed alongside the PIM audit log. Test each notification type by performing the corresponding action (submit an activation request, approve it, add a new eligible assignment) and verifying the correct email recipients receive the expected notification with sufficient detail to investigate if the action was unauthorized.
How do I measure whether PIM is actually reducing standing privilege exposure?
Measure PIM's effectiveness at reducing standing privilege exposure using two metrics: the standing privilege percentage and the privilege activation utilization rate. Calculate standing privilege percentage as (users with Active assignments to privileged roles) divided by (users with any privileged role assignment, Active or Eligible) — before PIM deployment this is typically 100%, and the target after full PIM deployment is below 5% (only break-glass accounts and service-specific active assignments remain). Calculate activation utilization rate as (PIM activations in the past 30 days) divided by (total eligible assignments) — users who have eligible assignments but never activate them are candidates for assignment removal in the next access review cycle. Export these metrics using the Microsoft Graph API: GET /beta/privilegedAccess/aadRoles/resources/{tenantId}/roleAssignments filters by assignmentState active or eligible to get the raw counts. Track these metrics monthly and report them to leadership as evidence that the just-in-time model is operating correctly — a rising standing privilege percentage over time indicates new administrator onboarding is not following the PIM-first process and needs process correction.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
